Friday, June 21, 2013

SEC Argues For Continued Authority To Obtain Emails Directly From ISPs

TheElectronic
Frontier Foundation’s (“EFF’s”) March 18, 2013 article reported
on the “first hearing in what many
. . . hope will be a successful update to the archaic Electronic Communications
and Privacy Act (“ECPA”) in this year's Congress.”In his press release,
Senator Leahy, said he
had “worked to make sure . . . updates”
to the ECPA “carefully balance privacy
interests, the needs of law enforcement and the interests of [the] thriving American tech sector.”Senator
Lee added that “the Fourth Amendment was
meant to protect” private information stored in “digital filing cabinets.”

The
27 year old ECPA, anEFF articleexplained, “allows
the government to argue that private online messages older than 180 days are
not protected by the Fourth Amendment and that the government can access the
messages without a warrant.” The
Sixth Circuit Court of Appeals, however, held in U.S. v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010) (“Warshak”) that the use of an ECPASection
2703(b) subpoena or court order to
obtain the contents of emails violated the Fourth Amendment’s prohibition
against warrantless searches.Chairperson
White claimed that S. 607’s codification of the Warshak decision would hinder the SEC’s investigations because the
SEC would have to obtain consent from the “entity
being investigated” in order to get email content “directly from ISPs.”

In
a May 30, 2013 memo, distributed to the ABA’s Administrative Law and Regulatory
Practice Section, Greg Nojeim(“Nojeim”),
with theCenter
for Democracy and Technology(“CDT”), strongly
disagreed with Chairperson White’s assessment that codifying the warrant
requirement would limit the SEC’s ability to conduct investigations.Nojeim expressed concern that the SEC wanted
to “get documents from service providers
without giving the target an opportunity to cull the records for relevancy,
assert any privilege, or otherwise raise any objections.

In
herletterto Senator Leahy, Chairperson White explained that the
SEC “frequently seeks to obtain the
contents of emails” in order to carry out its mandate.And without the Section 2703(b) authority to
subpoena an ISP directly, she argued, the SEC would not be able to obtain
critical evidence (e.g. deleted, not produced, or otherwise unavailable
emails.).Nojeim countered, in his memo,
that “regulatory agencies [including
the SEC] already have substantial power
to identify user accounts, freeze those accounts to prevent destruction or
alteration, and use subpoenas served on the account owner to force disclosure.”He argued that Chairperson White’s concerns
are already addressed under current law.For example, 18
USC 2703(f) requires an ISP, upon the request of a
government entity, to take all necessary steps to preserve records in its
possession pending the issuance of a court order or other process.

Chairperson
White concluded her letter by urging Senator Leahy to consider a “better balance between privacy interests
and the protection of investors.”“[I]n appropriate circumstances and with
court approval,” she recommended continued authority for the SEC to obtain
emails directly from ISPs.Alternately, Nojeim argued that passing S. 607
was the best way to allow the SEC to determine the “existence of possibly relevant information,” so then subpoenas could be “served on . . . subscribers
to actually obtain the content.”To
allow the SEC to obtain emails directly from ISPs,
Nojeim concluded, would be “unnecessary,
. . . diminish privacy, [and]
threaten proprietary information . . . .”Nojeim welcomes input from interested parties at gnojeim@cdt.orgor 202-407-8815.

Finally,
theEFFis “glad to
see ECPA reform robustly moving” and “with bills in both
houses of Congress the future of ECPA reform is bright.”The EFF believes that “users should be guaranteed the same rights in their virtual lives as
they are in their physical lives” and encourages interested parties to tell
“Congressmen to support reform.”Many are looking forward to the eventual modernization
of this dated privacy law.